Tavily Search Native Node
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: tavily-search-native-node Version: 1.0.4 The skill is a minimal, well-documented implementation of a Tavily web search tool using native Node.js with zero dependencies. It correctly handles credentials via environment variables, communicates only with the official Tavily API (api.tavily.com), and contains no evidence of data exfiltration, malicious execution, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or using the skill requires exposing a Tavily API key to the OpenClaw process, and searches may consume Tavily credits under that account.
The skill reads a Tavily API key from the process environment and uses it to authenticate to Tavily. This is sensitive credential use, but it is directly related to the stated search purpose and the code does not print or write the key.
const value = (process.env.TAVILY_API_KEY || "").trim(); ... Authorization: `Bearer ${apiKey}`Use a Tavily key with appropriate limits, monitor usage, and revoke or rotate the key if it is no longer needed.
Search terms and selected options are sent to Tavily, so sensitive private queries could be disclosed to that service.
The skill discloses that user search queries are sent to the external Tavily provider. This is expected for web search, but users should understand the data flow.
Privacy-sensitive queries (searches transmit to api.tavily.com)
Avoid using this skill for private, confidential, or regulated search queries unless sending them to Tavily is acceptable.